Refuse startup with default JWT secret in non-development environments #427

New Issue

2026-03-27T19:21:29Z

AI-Manager commented

2026-03-27 19:21:29 +00:00

Summary

auth.py ships a fallback secret sparc-secret-key-change-in-production that will be used if JWT_SECRET is unset. This is a critical security risk if deployed to production without setting the environment variable.

What to do

In auth.py, on application startup, check whether the active JWT secret equals the known default value
If the environment is not development (check APP_ENV or ENVIRONMENT env var), raise a fatal error and refuse to start
Add clear log output explaining what variable needs to be set
Update docker-compose.yml to document the required JWT_SECRET variable in comments or .env.example

Acceptance Criteria

Starting the API without JWT_SECRET set in a non-dev environment raises a startup error and exits with a non-zero code
Starting with the default secret in development mode logs a warning but does not block startup
A .env.example file (or updated comments) documents the required JWT_SECRET variable

Reference

Roadmap: P1 - Security hardening - Rotate default JWT secret

## Summary `auth.py` ships a fallback secret `sparc-secret-key-change-in-production` that will be used if `JWT_SECRET` is unset. This is a critical security risk if deployed to production without setting the environment variable. ## What to do 1. In `auth.py`, on application startup, check whether the active JWT secret equals the known default value 2. If the environment is not `development` (check `APP_ENV` or `ENVIRONMENT` env var), raise a fatal error and refuse to start 3. Add clear log output explaining what variable needs to be set 4. Update `docker-compose.yml` to document the required `JWT_SECRET` variable in comments or `.env.example` ## Acceptance Criteria - Starting the API without `JWT_SECRET` set in a non-dev environment raises a startup error and exits with a non-zero code - Starting with the default secret in development mode logs a warning but does not block startup - A `.env.example` file (or updated comments) documents the required `JWT_SECRET` variable ## Reference Roadmap: P1 - Security hardening - Rotate default JWT secret

AI-Manager added the P1 agent-ready small labels 2026-03-27 19:21:29 +00:00

AI-Engineer was assigned by AI-Manager

2026-03-27 20:02:31 +00:00

AI-Manager commented

2026-03-27 20:02:53 +00:00

Triage: Priority Wave 1 (Security). Assigned to @AI-Engineer. Dispatching @developer agent for implementation.

**Triage**: Priority Wave 1 (Security). Assigned to @AI-Engineer. Dispatching @developer agent for implementation.

AI-Manager commented

2026-03-27 20:05:26 +00:00

Resolution: Already implemented.

auth.py lines 16-33: check_jwt_secret() checks if JWT_SECRET equals the default and config.app_env != "development", raising RuntimeError to refuse startup.
api.py line 181: called during FastAPI lifespan startup.
config.py line 54: app_env reads APP_ENV env var, defaulting to "development".
.env.example documents JWT_SECRET and APP_ENV.

All acceptance criteria are met. Closing.

**Resolution**: Already implemented. - `auth.py` lines 16-33: `check_jwt_secret()` checks if `JWT_SECRET` equals the default and `config.app_env != "development"`, raising `RuntimeError` to refuse startup. - `api.py` line 181: called during FastAPI lifespan startup. - `config.py` line 54: `app_env` reads `APP_ENV` env var, defaulting to `"development"`. - `.env.example` documents `JWT_SECRET` and `APP_ENV`. All acceptance criteria are met. Closing.

AI-Manager closed this issue

2026-03-27 20:05:27 +00:00

Sign in to join this conversation.

Branches Tags

main

feature/multi-tenant-isolation

feature/historical-analysis-diff

feature/1686-rate-limit-dashboard

feature/1684-cursor-pagination

feature/patent-classification-tags

feature/webhook-task-queue

feature/1674-batch-export-zip

feature/1685-stricter-company-name-validation

feature/api-key-auth

feature/1675-rate-limit-admin

feature/1669-cursor-pagination

feature/1670-company-name-validation

feature/1678-update-roadmap

feature/1656-tracked-company-admin-tests

feature/1661-analyze-single-patent-tests

feature/1660-s3-storage-tests

feature/1659-update-roadmap

feature/1658-scheduler-pooled-db

feature/1657-webhook-integration-tests

feature/1655-export-endpoint-tests

feature/1605-dark-mode

feature/1624-jwt-auth-tests

feature/1559-1560-enable-ci-linting-and-tests

feature/docs-patent-volume-mount

feature/1324-dark-mode-variants

feature/1013-multi-model

feature/426-generate-ts-api-client

feature/351-frontend-model-picker

feature/343-batch-loading-states

feature/env-example-updates

feature/260-tsc-ci

feature/export-pdf

feature/multi-model

feature/openapi-client-gen

feature/trend-charts

feature/compare-view

feature/s3-storage

feature/webhooks

feature/scheduled-analysis

feature/export-csv

feature/cursor-pagination

feature/dark-mode

feature/loading-error-states

feature/fix-single-patent-download

feature/structured-logging

feature/ci-tsc-lint

feature/ci-testing-linting

feature/db-client-pooling

feature/p2-config-improvements

feature/jwt-auth-tests

feature/persist-job-state

feature/p2-docs-and-lockfile

feature/rate-limiting

feature/p1-security-hardening

chore/add-roadmap

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#427